[CRIU] implementing some kind of --leave-frozen option for c/r in CRIU

Tycho Andersen tycho.andersen at canonical.com
Wed May 18 11:30:46 PDT 2016 

On Wed, May 18, 2016 at 11:28:59AM -0700, Andrei Vagin wrote:
> On Wed, May 18, 2016 at 11:12 AM, Tycho Andersen
> <tycho.andersen at canonical.com> wrote:
> > Hi Andrey,
> >
> > On Tue, May 17, 2016 at 10:20:42AM -0700, Andrew Vagin wrote:
> >> Yesterday I tried to use a separate table in a case when netns isn't
> >> dumped:
> >> https://github.com/avagin/criu/commit/a3b3ae4e7db40f5b0d4456b27062484c9e27ad8a
> >
> > Cool, thanks for this!
> >
> >> here are two problem:
> >> * we need two tables to block input and output trafic
> >> * we need to generate uniq names for these tables. We can't use fixed
> >>   names, because we may want to make checkpoint/restore a few times
> >>   simulteniously.
> >
> > r.e. the unique names, what if we add some parameter --iptables-suffix
> > so that the user can specify the suffix if they want. Otherwise, we
> > can just randomly generate a string that's say 10 characters long and
> > hope that they don't collide?
> 
> We need to save this uuid into images, because we need to get it on restore.

Hmm, I don't understand. Why do we need it on restore?

> >
> > In lxc's case, we could just use the container's name as the suffix,
> > since we know that those are unique on the host. I assume the same
> > thing would be true of openvz.
> 
> This problem exists only for cases when netns isn't dumped. Does LXC
> allow to create containers without netns?

Yes, it does.

Tycho

> >
> > If that sounds reasonable, I can adopt your patch + the
> > --iptables-suffix and my --leave-frozen patch and send the full set.
> >
> > Tycho
> >
> >> The profit from this approach is that:
> >> * we can unlock network very fast and don't need to enumerate sockets
> >>   for that.
> >> * It's easy to understand which rules were added by criu and an user
> >>   can easy clean up them himself
> >>
> >> >
> >> > Tycho
> >> >
> >> > > >
> >> > > > static const char *nf_conn_cmd = "%s -t filter %s %s --protocol tcp "
> >> > > >         "--source %s --sport %d --destination %s --dport %d -j DROP";
> >> > > >
> >> > > > Tycho
> > _______________________________________________
> > CRIU mailing list
> > CRIU at openvz.org
> > https://lists.openvz.org/mailman/listinfo/criu

More information about the CRIU mailing list